[Snort-users] ACID 0.9.5 Released

Bill Marquette wlmarque at ...8...
Fri Jan 19 14:34:51 EST 2001



I totally agree Jeff, ACID kicks some serious ass and is well worth a look at.

Your comment on alerting on DB INSERTS made me laugh and reminded me of the time
I had snort trigger (on four different machines) from downloading a new rule
update!

--Bill




From: "Oxenreider, Jeff" <jox at ...963...> on 01/19/2001 11:42 AM

To:   Bill Marquette/National/Hewitt Associates at ...1126... Associates NA
      Guillaume Arcas <guillaume at ...1168...>
cc:   Roman Danyliw <roman at ...438...>
      snort-users at lists.sourceforge.net
Client:
Subject:  RE: [Snort-users] ACID 0.9.5 Released



I just set up Snort 1.7 with MySQL logging and ACID.  I currently have 3
deployed sensors with plans for at least 4 more in the immediate future, and
hopefully another 5 or so after that, all centrally logging to the MySQL
database.

I must say ACID is a huge help to me and my staff when it comes to traffic
analysis of Snort alerts and management loves it because they can jump up
and see a snapshot of how things are going without having to bug me directly
with the questions.

Some of the possible issues that I've come across with this distributed
environment would be duplicate alerts due to infrastructure.  For example, I
have a subnet in another building which is connected to this one over an OC3
link.  Traffic outbound to the internet actually passes through all 3 of my
snort detectors on it's way out, and that can sometime generate an excessive
number of alerts.  Also, since some rules are simply text string searches,
I've found that an alert from an external sensor, into the database (which
has another sensor on that subnet) can sometimes generate false positives
because the payload is passed to the SQL DB, and therefore seen as a valid
alert.

One thing that may be useful is a way to set a host on full "ignore" like
the portscan ignore feature for the portscan, it'd be nice to have a full
blown ignore option for snort, so that my external sensors don't trip alarms
when reporting to the mothership.

If you haven't tried ACID, it really is amazing and worth your time.  The
0.9.5 release has some very nice functionality to it and it's made my
analysis a lot more fun too.



Jeffrey A. Oxenreider
Network Security Analyst
Safelite Glass Corp
614-761-4836


-----Original Message-----
From: Bill Marquette [mailto:wlmarque at ...8...]
Sent: Friday, January 19, 2001 9:31 AM
To: Guillaume Arcas
Cc: Roman Danyliw; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ACID 0.9.5 Released




Guillaume Arcas <guillaume at ...1168...> on 01/19/2001 02:18 AM wrote:

>I take your message as an opportunity to ask if there is space in this
>mailing-list for discussion about daily usage of  ACID. I use it since a
month
>and surely am one of your most enthoustiastic fan(s) in France !! :-)

It's snort related and unless Marty has issues or the threads get too far
off-topic I don't see why we shouldn't be able to discuss usage :)

>More seriously, I would like to expand the usage of ACID sensors to build a
>Distributed IDS for a large network (with a lot of that f*!#@* things
called
>switches !! :-)).

>Does anyone here have some experience of that ?

Not as of yet.  I'm working on building a rather large snort/ACID
infrastructure
right now.  I'd be more than happy to pass issues I've had back and forth
with
you via private email (no sense in letting the lurkers out there see too
much
internal information).  I'm actually quite interested in your usage of ACID;
I'm
curious to see if our corporate needs are similar in vein to yours and how
large
a network you are running and the number of sensors you are expecting to
have at
the end of deployment.

--Bill



_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010119/a9bf312a/attachment.htm>


More information about the Snort-users mailing list